All,

I know sssctl user-checks <user> will tell you whether this account is conferred login or not.

You're looking for line:

pam_acct_mgmt: Success

Is there a utility (or some verbose output on sssctl user-checks) that tells you membership in which group is conferring you access?

I know a commercial product where the equivalent login test outputs something like this:

[root@gordita root]# vastool user checkaccess admben_lee Access allowed. (RULE ALLOWING: membership in group gbllinuxsup)

Particularly with nested subgroups (bad practice I know) and a user member of 10 - 12 AD groups, it's often a challenge to chase which group membership is allowing login.

Do the sssd logs in debug level 9 give this info? I just tried this, running sssctl user-checks against myself.

I just checked the sssd logs and it says I'm a member of 110 supplemental AD groups! (Luckily not all are UNIX-enabled, so cannot confer me login access)..

I see this in the sssd logs:

(2024-10-02 10:22:53): [be[amer.company.com]] [simple_check_groups] (0x4000): [RID#2] Checking against allow list group name [ amerlinuxsup@amer.company.com]. (2024-10-02 10:22:53): [be[amer.company.com]] [sss_domain_get_state] (0x1000): [RID#2] Domain amer.company.com is Active (2024-10-02 10:22:53): [be[amer.company.com]] [simple_check_groups] (0x4000): [RID#2] Checking against allow list group name [ amerlinuxeng@amer.company.com]. (2024-10-02 10:22:53): [be[amer.company.com]] [sss_domain_get_state] (0x1000): [RID#2] Domain amer.company.com is Active (2024-10-02 10:22:53): [be[amer.company.com]] [simple_check_groups] (0x1000): [RID#2] Group [AmerLinuxEng@amer.company.com] found in allow list, access granted. (2024-10-02 10:22:53): [be[amer.company.com]] [simple_access_check_done] (0x2000): [RID#2] Group check done (2024-10-02 10:22:53): [be[amer.company.com]] [simple_access_check_recv] (0x1000): [RID#2] Access granted

So it's in the sssd logs. Is there a simpler command that will give this same info?

Spike White